Thursday, August 27, 2020

[389-users] dsconf errors on exec of "Updating the List of Enabled Ciphers" with "-all," included

 @

Updating the List of Enabled Ciphers
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/enabling_tls#idm140548437003312

exec

dsconf -D "cn=Directory Manager" testinst security ciphers set "-all,+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"

returns

usage: dsconf instance security ciphers set [-h] cipher-string
dsconf instance security ciphers set: error: the following arguments are required: cipher-string

checking

dsconf instance security ciphers set -h
usage: dsconf instance security ciphers set [-h] cipher-string

Use this command to directly set nsSSL3Ciphers attribute. It is a comma separated list of cipher names (prefixed with + or
-), optionally including +all or -all. The attribute may optionally be prefixed by keyword default. Please refer to
documentation of the attribute for a more detailed description.

positional arguments:
cipher-string

optional arguments:
-h, --help show this help message and exit

re-attempt rm'in "-all"

dsconf -D "cn=Directory Manager" testinst security ciphers set "+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"

Remeber to restart the server to apply the new cipher set.
(^^^^ fyi, typo)
Some ciphers may be disabled anyway due to allowWeakCipher attribute.

but, here

grep -i weak /etc/dirsrv/slapd-testinst/dse.ldif
allowWeakCipher: off
allowWeakDHParam: off

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

No comments:

Post a Comment